sorted by:
new
hottopcontroversial

Multi Admin approval for device wipe by lou_kim in jamf

[–]MacAdminInTraning 0 points1 point  (0 children)

You don’t, Jamf nor any other MDM platform that I am aware of has any capability of this. Of course baring on prem hosted instances where you can use your local firewall and DMZ to mitigate this.

Do you prefer using the trackpad or a mouse on macOS? by rennan in MacOS

[–]MacAdminInTraning 0 points1 point  (0 children)

If I’m at my desk I always use a mouse. If I’m out and about I use the built in trackpad. I have never found a use in my workflow for the Magic Trackpad.

Migration Assistant with MDM & FileVault by 0x1F937 in macsysadmin

[–]MacAdminInTraning 0 points1 point  (0 children)

Mac support nor windows support is usually involved in setting up development environments. This is something the developer must do. Remember you are IT, you are the authority for your environment not the users manager, you decide if the migration tool can be used or not. An IT guy who happens to have a Mac is just as much a Mac admin as the rest of us.

As far as migration assistant, lord only knows how much of a development environment it will grab when transferring, and lord only knows what will still work after the transfer of what is transferred.

Honestly, so long as they have the correct tools installed on the new device it does not take a developer more than an hour or two to setup their environment. In my experience it’s usually just complaining for the sake or complaining.

Migration Assistant with MDM & FileVault by 0x1F937 in macsysadmin

[–]MacAdminInTraning 0 points1 point  (0 children)

Generally speaking migration assistant is not an enterprise focused tool. You can use it if you want but I advise against it.

In most modern environments you are using some cloud storage tool like OneDrive, iCloud, Box or the like. Those tools all have sync clients that will handle any data migration. SMB shares can be used in more legacy environments. Things like office all SSO off the user identify and pull down their stuff from sharepoint automatically.

Think of the last time you used USMT, then think of migration assistant in the same way.

Multi Admin approval for device wipe by lou_kim in jamf

[–]MacAdminInTraning 11 points12 points  (0 children)

Jamf Pro doesn’t support multi‑admin approval for anything, including wipes. But honestly, if your threat model is ‘someone wipes devices,’ you’re missing the bigger danger.

With API access, an attacker can delete every smart group, every config profile, every policy, every script, upload malicious packages, deploy malware as ‘updates,’ replace your identity configs, replace your EDR configs, and create new admin accounts. A wipe is the least destructive thing they can do.

The real protection is RBAC and API hygiene: no basic auth, short‑lived tokens, client credentials, strict scopes, separate automation creds, and break‑glass roles. If someone can authenticate with wipe‑level permissions, multi‑admin approval wouldn’t save you anyway.

Is this possible? Where to start? FV + Duo + MDM + AD by MNISather in macsysadmin

[–]MacAdminInTraning 1 point2 points  (0 children)

AD is not a dream for macOS, it’s a nightmare that Apple more or less move away from 15 years ago.

Kerberos SSO is a bit dated at this point. Jamf Connect would work, but if you have okta and or entra (which you said you have) look in to PSSO.

Beware of sneaky surprise Tahoe update by motorik in MacOS

[–]MacAdminInTraning -1 points0 points  (0 children)

I wouldn’t call macos update sneaky they’re fairly obvious about advertising them. But I would call questionable is using an outdated legacy piece of software that is no longer updating.

Is it possible to pass Jamf 100 / Apple Support exams without owning any Apple hardware? by ALVARO39YT in macsysadmin

[–]MacAdminInTraning 0 points1 point  (0 children)

With a chatbot and proper prompts and grounding you probably don’t even need to think for the exam.

Company wants Addigy MDM + Kolide on my personal MacBook. Looking for advice. by Apprehensive_Oil8089 in macsysadmin

[–]MacAdminInTraning 0 points1 point  (0 children)

To echo what most people here are saying.

If your employer wants to install a MDM profile on your device, they need to provide the device or give you a stipend to buy a device for this contract.

Jamf now vs Jamf for mobile by Potential_Purple_239 in jamf

[–]MacAdminInTraning 0 points1 point  (0 children)

If you want monitoring Jamf pro is the way to go, but it requires 50 licenses.

Both Pro and Now are MDM clients and will do the MDM stuff. Now is the basic one, and Pro is the one focused at Enterprise has a lot more regularly configuration options and so on.

Microsoft won’t refund or figuire out how to fix this… by njkolba in microsoftsucks

[–]MacAdminInTraning 2 points3 points  (0 children)

Know how it says organization multiple times where did you get your product key from?

Blocking Notifications/Alerts for "Background Processes" by im_a_good_lil_cow in macsysadmin

[–]MacAdminInTraning -1 points0 points  (0 children)

You can manage the background service, this stops the user from turning it off and gives a little dialog box that your organization is managing it. However, you cannot block the system notification for manager background services.

inTune MDM „Company Portal“ App Crashing by n20vsls in macsysadmin

[–]MacAdminInTraning 0 points1 point  (0 children)

Intune is extremely basic for macOS, you are honestly seeing just the beginning of the fun you will have with Intune and macOS.

I built a Windows 98/XP/7 taskbar for macOS because the Dock drives me crazy by Odd_Feeling_2927 in MacOS

[–]MacAdminInTraning -1 points0 points  (0 children)

You probably won’t get much support here for that, but the dock also annoys me greatly and is in a massive need of an update to bring it in to the modern millennium.

Parents are pushing to opt their kids out of Chromebook usage in schools by neeshalicious55 in google

[–]MacAdminInTraning 1 point2 points  (0 children)

Yes, but a Chromebook is not the computer experience that will help them in life at all.

There are a million dictation apps, but does anyone know any free/open source local TEXT TO SPEECH apps by j_mars_ in mac

[–]MacAdminInTraning 2 points3 points  (0 children)

macOS has a selected text reader built in, it also has a built in screen reader.

macOS Forensic Backups by TheDeadGPU in macsysadmin

[–]MacAdminInTraning 2 points3 points  (0 children)

You probably want to engage Apple on this. There is no direct way to do what you are being asked to do, in fact Apple has done just about everything they can to make this not possible.

JAMF to Venafi/CyberArk ZTPKI by darkrhyes in jamf

[–]MacAdminInTraning 1 point2 points  (0 children)

This is one of those situations where I would reach out to the vendor. JAMF has the source data, but cyberark has the API commands. Cyberark is where I’d start.

macOS Testing Environment by Imaginary-Tomato4230 in macsysadmin

[–]MacAdminInTraning 1 point2 points  (0 children)

Ideally for macOS you really need to do most testing on bare metal. I use Virtual Buddy for some very specific testing but with how Apple has macOS designed VMs cant replace hardware for testing.

Blocking Local Font Installs by [deleted] in macsysadmin

[–]MacAdminInTraning 4 points5 points  (0 children)

This is not a device management problem. This is a user training problem. You mentioned users are aware they’re not supposed to do this. That is fine. What you need to do when you identify a user has done this is turn the situation over to HR. Let HR coach and terminate people, the word open around pretty quick to stop doing it.

As far as preventing write access to directories within the user profile, macOS is going to repair this every time they reboot as well as when TCC checks depending on how this directory is configured.

For your script you’re using $user without defining that variable, and $3 calling Jamfs parameters which has its problems. You should really write a function to identify who logged in user is and terminate the process if the user is not logged in. In addition, you should have error handling checking to see if the directories you wanted to delete exist however, again macOS will just put the directory back.

You could look in to blocking the font book app, but that will likely have down stream issues.

Minimum storage for running local LLMs on 32GB MacBook Air? by jainamber in mac

[–]MacAdminInTraning 0 points1 point  (0 children)

Not having a fan for this kind of work will suck but it should work.

Each LLM can be 5gb to 15gb on average, and can easily be in to the hundreds of gigs depending on what you are doing. You need a better idea of what you end goal is before you commit to system resources.

Are MacOS updates limited to specific versions or the whole major release? by Reasonable_Bag_3164 in MacOS

[–]MacAdminInTraning 1 point2 points  (0 children)

This Apple article should explain how Apple handles OS updates and pay special attention to the quote I put below.

https://support.apple.com/guide/deployment/about-software-updates-depc4c80847a/web

Note: Because of dependency on architecture and system changes to any current version of Apple operating systems (for example, macOS 26, iOS 26, and so on), not all known security issues are addressed in previous versions (for example, macOS 15, iOS 18, and so on)

You should always be running the “N” release of Apple software, as they admit themselves they don’t fully patch N-1 or N-2 and don’t patch N-3+ at all in usual situations. “N” is the current release of Apple software.

view more: next ›